Security Vulnerabilities on the Decline?

JavaScript issues continue to mount, but according to new report, were better off than we were in 2006.

SHARE

SHARE

Is the number of new IT security vulnerabilities growing? According to a new report from HP TippingPoint and Qualys, the total number of newly discovered IT vulnerabilities peaked in 2006 and has yet to return to the same level.

While new vulnerabilities are not being discovered and reported in the same numbers they were four years ago, the number of unpatched vulnerabilities is on the rise, as is the number of similar flaws being reported by multiple security researchers at the same time, according to HP TippingPoint. The decline in the total number of vulnerabilities may have something to do with an increased focus on security in recent years.

"As new products are released we're finding bugs in those products, but a lot of the bugs in 2006 were found in older products," Mike Dausin, manager, Advanced Security Intelligence at HP TippingPoint DVLabs told InternetNews.com. "In many cases a lot of products really take security very seriously these days and as a result there may be fewer vulnerabilities."

Dausin added that while the number of reported vulnerabilities may have declined, the business of exploitation remains lucrative for attackers and he noted that the number of attacks has increased.

The other thing that has increased is the number of security researchers reporting on the same security issue.

"This used to never happen and we suspect that this is probably a result of the toolsets for finding vulnerabilities getting better," Dausin said. "Also the vulnerability discovery space is growing, so we end up with lots of researchers looking at the same problems."

HP TippingPoint operates the Zero Day Initiative (ZDI) effort, which pays security researchers for their security vulnerabilities. ZDI then in turn responsibly discloses the security issues to the affected vendors.

Dausin noted that having multiple researchers report the same vulnerability is an alarming trend. He said that the ZDI researchers are the "good guys" and are responsibly disclosing the issues. Dausin added that it would be naïve to think that if there are multiple researchers discovering the same vulnerability at the same time that criminals aren't also discovering the same issues.

Among the big security issues that continue to grow, is the use of malicious JavaScript by attackers. Dausin suggests that on the server side, network IPS be used and antivirus on the client side to help mitigate risk.

Sometimes though, antivirus isn't enough to stop a malicious JavaScript. In order to provide a more secure app experience, Dausin advocates that an app store model evolve for the Web. In the app store model, store owners validate and ensure that code in their store doesn't include malicious elements.

"The ability to download and execute a random .exe file is a liability," Dausin said. "It's clear that the app store model by mobile vendors is a success. Some malicious code has slipped through, but the problem has diminished, so it's much more tolerable than it is in the desktop PC space."